SuseFirewall2 or IPTables, is there a difference
Recent events have made me think about firewalls. What is the difference between SuseFirewall2 and the firewalls found in other distros - which I am assuming are referred to as IPTables. Thanks again. -- Colin@SpudULike.me.uk As seasons go I especially like pepper.
Colin Murphy wrote:
Recent events have made me think about firewalls.
What is the difference between SuseFirewall2 and the firewalls found in other distros - which I am assuming are referred to as IPTables.
Susefirewall2 is just a set of scripts and configuration files to configure IPtables on the fly, which is probably the same as most distros offer. I've no experience with those, but I assume they are about as straightforward, and allow the same kind of versatility/complexity of the firewall, as Susefirewall -- which is to say, easy as blazes to configure but far too simplified for any but the most modest of firewall requirements. They're all pretty good at what they can do, but rather limited in their flexibility. (Since someone is bound to try to tell me how complex a setup he has at home, let me add this: even if you have an internal LAN and have fully configured all your firewall rules/policies, masqing and routing in Yast, I still say your requirements are modest -- and if you happen to have 5 internal LANs on one router/firewall that includes port forwarding, etc but still used Yast to configure it, I can only suggest it would have taken you about 1/4 the time under something like Shorewall :-) )
(Since someone is bound to try to tell me how complex a setup he has at home, let me add this: even if you have an internal LAN and have fully configured all your firewall rules/policies, masqing and routing in Yast, I still say your requirements are modest -- and if you happen to have 5 internal LANs on one router/firewall that includes port forwarding, etc but still used Yast to configure it, I can only suggest it would have taken you about 1/4 the time under something like Shorewall :-) )
Bottom line is this; How much are you willing to read and understand the SuSEfirewall2 or any other firewall? Shorewall offers a decent GUI for your advanced configurations, while SuSE offers advance Firewall configuratiuons under a conf file: /etc/sysconfig/SuSEfirewall2 or If you want to enter it from Yast? Go to: Yast->System->/etc/sysconfig Editor->Network->Firewall->SuSEfirewall2 All firewalls need fine detail and understanding of networks. We can go all day long and discuss which firewalls are better. It's a matter of opinion and what you are comfortable with, So in other words; GUI or Conf files????????? Here's a good site to do some readings. See below: http://www.linuxsecurity.com/content/view/101892/155/ JD
All firewalls need fine detail and understanding of networks. We can go all day long and discuss which firewalls are better. It's a matter of opinion and what you are comfortable with, So in other words; GUI or Conf files?????????
Here's a good site to do some readings. See below:
Here's another link if you think you want to try your hand at a custom script: http://iptables-tutorial.frozentux.net/chunkyhtml/index.html Last I heard the author was working on expanding this tutorial into a book. This is the most often recommended resource on the netfilter mailing list. Jeff
How to unlock a Thunderbird profile that was left open (power failure)? While starting, thunderbird reports that cannot use the profile "default" because it is in use.
<disclaimer> This is just a guess </disclaimer> search for a .lock file (e.g. thunderbird.lock)? B-) On Wednesday 16 February 2005 12:44 pm, Flavio Arthur Leal Ferreira wrote:
How to unlock a Thunderbird profile that was left open (power failure)? While starting, thunderbird reports that cannot use the profile "default" because it is in use.
* Flavio Arthur Leal Ferreira <flavio-arthur@redemeta.com.br> [02-16-05 14:48]:
How to unlock a Thunderbird profile that was left open (power failure)? While starting, thunderbird reports that cannot use the profile "default" because it is in use.
look in ~/.mozilla/firefox/????????.default for "lock@ -> <some number>" and delete the lock file. Please, when you start a new thread/message, type the address or copy and paste. Do not respond to another message and delete the Subject: unless you also delete the 'In-Reply-To:' and 'Referrences:' headers also. Not following this procedure destroys the 'message threading' for those email clients having that capability. If you do not understand this request, please ask and I will attempt a better explanation. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
* Patrick Shanahan <ptilopteri@gmail.com> [02-16-05 14:55]:
* Flavio Arthur Leal Ferreira <flavio-arthur@redemeta.com.br> [02-16-05 14:48]:
How to unlock a Thunderbird profile that was left open (power failure)? While starting, thunderbird reports that cannot use the profile "default" because it is in use.
look in ~/.mozilla/firefox/????????.default
--> this should be ~/. <thunder-bird's directory> -------
for "lock@ -> <some number>"
and delete the lock file.
Please, when you start a new thread/message, type the address or copy
-- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
Patrick, El Mié 16 Feb 2005 14:54, Patrick Shanahan escribió:
Not following this procedure destroys the 'message threading' for those email clients having that capability.
That's interesting, as under my KMail the OP's message appeared as firts of a new thread. Didn't notice any thread highjacking, although the references to another thread's messages are appearant in its headers. Regards, -- Andreas Philipp Noema Ltda. Bogotá, D.C. - Colombia http://www.noemasol.com
* Andreas Philipp <andreas.philipp@noemasol.com> [02-16-05 16:19]:
El Mié 16 Feb 2005 14:54, Patrick Shanahan escribió:
Not following this procedure destroys the 'message threading' for those email clients having that capability.
That's interesting, as under my KMail the OP's message appeared as firts of a new thread. Didn't notice any thread highjacking, although the references to another thread's messages are appearant in its headers.
You will not see the other messages from the thread if you have already deleted them. The new post would *then* appear as a *new* thread. kapish.. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
Patrick, El Mié 16 Feb 2005 17:01, Patrick Shanahan escribió:
That's interesting, as under my KMail the OP's message appeared as firts of a new thread. Didn't notice any thread highjacking, although the references to another thread's messages are appearant in its headers.
You will not see the other messages from the thread if you have already deleted them. The new post would *then* appear as a *new* thread.
kapish..
I keep 30 days worth of messages of the list, so I don't think this is what makes the message appear as first message of a new thread. Unless, of course, the original message referenced a thread older than that, which I am right now too lazy to check out. And yes, I kapish ... -- Andreas Philipp Noema Ltda. Bogotá, D.C. - Colombia http://www.noemasol.com
El Mié 16 Feb 2005 17:07, Andreas Philipp escribió:
Patrick,
I keep 30 days worth of messages of the list, so I don't think this is what makes the message appear as first message of a new thread. Unless, of course, the original message referenced a thread older than that, which I am right now too lazy to check out.
Well, my curiosity prevailed and yes, the referenced messages seem to be from 2005-01-09, so they would have been deleted from my folder. Then nothing interesting has happened. -- Andreas Philipp Noema Ltda. Bogotá, D.C. - Colombia http://www.noemasol.com
* Andreas Philipp <andreas.philipp@noemasol.com> [02-16-05 17:20]: ...
I keep 30 days worth of messages of the list, so I don't think this is what makes the message appear as first message of a new thread. Unless, of course, the original message referenced a thread older than that, which I am right now too lazy to check out.
Well, I have retained posts that were interesting at the time and happened to fit in this case is why I noticed. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
Wed, 16 Feb 2005, by ptilopteri@gmail.com:
* Andreas Philipp <andreas.philipp@noemasol.com> [02-16-05 16:19]:
El Mié 16 Feb 2005 14:54, Patrick Shanahan escribió:
Not following this procedure destroys the 'message threading' for those email clients having that capability.
That's interesting, as under my KMail the OP's message appeared as firts of a new thread. Didn't notice any thread highjacking, although the references to another thread's messages are appearant in its headers.
You will not see the other messages from the thread if you have already deleted them. The new post would *then* appear as a *new* thread.
Not in Mutt you wouldn't. You'd see an arrow before the subject in the index, telling you something's fishy. It totally amazes me why people find this reply/delete stuff/add stuff easier then just put the list-address in the addressbook and use that for a new post. But then, I see people do a lot of whacky things (mostly involving their beloved CTS tool, aka mouse) that takes 'm double the time that I need. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 9.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.8 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
* Theo v. Werkhoven <twe-suse.e@ferrets4me.xs4all.nl> [02-17-05 18:04]:
Wed, 16 Feb 2005, by ptilopteri@gmail.com:
You will not see the other messages from the thread if you have already deleted them. The new post would *then* appear as a *new* thread.
Not in Mutt you wouldn't. You'd see an arrow before the subject in the index, telling you something's fishy.
This is true, and I *do* use mutt but did *not* look at the thread indicator as I still had/have a message from the original thread.
It totally amazes me why people find this reply/delete stuff/add stuff easier then just put the list-address in the addressbook and use that for a new post. But then, I see people do a lot of whacky things (mostly involving their beloved CTS tool, aka mouse) that takes 'm double the time that I need.
If you started before there were mice, you probably still prefer the keyboard and, maybe, wordstar key sequences, unless you came up on unix instead of cp/m. But you are also showing your age <grin>.. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
* Flavio Arthur Leal Ferreira <flavio-arthur@redemeta.com.br> [02-16-05 14:48]:
How to unlock a Thunderbird profile that was left open (power failure)? While starting, thunderbird reports that cannot use the profile "default" because it is in use.
look in ~/.mozilla/firefox/????????.default for "lock@ -> <some number>"
and delete the lock file.
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
* Taavi Dovnar <taavid@www.luunja.edu.ee> [02-20-05 05:53]:
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird> and the lock file will magically disappear. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/gallery
Patrick, Tavi, On Sunday 20 February 2005 07:03, Patrick Shanahan wrote:
* Taavi Dovnar <taavid@www.luunja.edu.ee> [02-20-05 05:53]:
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
and the lock file will magically disappear.
That's very doubtful. Signal 9, SIGKILL, cannot be caught or ignored, so using it to kill a process _guarantees_ that it will not be able to perform its shut-down clean-up operations. Use plain "kill". The default signal, SIGTERM, is a _request_ for the process to terminate. Well written programs that require clean-up before termination will catch this signal and exit gracefully when they receive it). Programs that don't need to perform cleanup will also be terminated by this signal, since by default it causes the process to exit.
-- Patrick Shanahan
Randall Schulz
Patrick Shanahan wrote:
* Taavi Dovnar <taavid@www.luunja.edu.ee> [02-20-05 05:53]:
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
I believe you can also just <ctrl> <esc> from the keyboard, the process table dialog will pop up, and you can scroll down the list of active process' selecting each instance of thunderbird and then clicking on the kill button. dave
and the lock file will magically disappear.
-- David C. Johanson Linux Counter # 116410 Powered by SuSE Linux 7.3 People who behold a phenomenon will often extend their thinking beyond it; people who merely hear about the phenomenon will not be moved to think at all. -- Goethe
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Johanson wrote: <snip>
I believe you can also just <ctrl> <esc> from the keyboard, the process table dialog will pop up, and you can scroll down the list of active process' selecting each instance of thunderbird and then clicking on the kill button.
Hi Dave, That's an interesting keyboard shortcut. Before I try it, is there a comparable shortcut that gets you back where you were? thanks! - - Carl - -- ____________________________________________________________________ C. E. Hartung Business Development & Support Services http://www.cehartung.com/ carlh@cehartung.com Dover Foxcroft, Maine, USA Public Key #0x68396713 Reg. Linux User #350527 http://counter.li.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCGMweusxgymg5ZxMRAh7TAJ9dPymVGdM7X1+BbYM5tYZXxkShCACfR3TZ AYXuHCftFFbLErYpLNaz490= =Bl7+ -----END PGP SIGNATURE-----
Carl, On Sunday 20 February 2005 09:42, Carl E. Hartung wrote:
David Johanson wrote: <snip>
I believe you can also just <ctrl> <esc> from the keyboard, the process table dialog will pop up, and you can scroll down the list of active process' selecting each instance of thunderbird and then clicking on the kill button.
Hi Dave,
That's an interesting keyboard shortcut. Before I try it, is there a comparable shortcut that gets you back where you were?
ALT-F4. I.e., just close the window. It's not really special.
thanks!
- Carl
Randall Schulz
Carl,
On Sunday 20 February 2005 09:42, Carl E. Hartung wrote:
David Johanson wrote: <snip>
I believe you can also just <ctrl> <esc> from the keyboard, the process table dialog will pop up, and you can scroll down the list of active process' selecting each instance of thunderbird and then clicking on the kill button.
Hi Dave,
That's an interesting keyboard shortcut. Before I try it, is there a comparable shortcut that gets you back where you were?
ALT-F4. I.e., just close the window. It's not really special. I suspect the OP was meaning to unkill i.e. a restore button having not looked at the result of doing ctrl esc yet. I did and found it interesting and did a file> quit to close the window So I have also learnt the alt-F4 does the same thing as well from this
On Sun, 2005-02-20 at 10:04 -0800, Randall R Schulz wrote: thread. hanks again the those further down the Linux road. Regards Roger
Roger, On Sunday 20 February 2005 10:13, Roger Beever wrote:
On Sun, 2005-02-20 at 10:04 -0800, Randall R Schulz wrote:
Carl,
On Sunday 20 February 2005 09:42, Carl E. Hartung wrote:
David Johanson wrote: <snip>
I believe you can also just <ctrl> <esc> from the keyboard, the process table dialog will pop up, and you can scroll down the list of active process' selecting each instance of thunderbird and then clicking on the kill button.
Hi Dave,
That's an interesting keyboard shortcut. Before I try it, is there a comparable shortcut that gets you back where you were?
ALT-F4. I.e., just close the window. It's not really special.
I suspect the OP was meaning to unkill i.e. a restore button having not looked at the result of doing ctrl esc yet.
Huh? A killed process is no more. They cannot be resurrected.
I did and found it interesting and did a file> quit to close the window So I have also learnt the alt-F4 does the same thing as well from this thread. Thanks again to those further down the Linux road.
Keep in mind that these are just defaults. The KDE Control center allows you to assign keyboard shortcuts to dozens of actions.
Regards Roger
Randall Schulz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randall R Schulz wrote:
ALT-F4. I.e., just close the window. It's not really special.
Thanks Randall (and Patrick), That was pretty easy, alright. I just like knowing what to expect and how to back out if something goes amiss. - - Carl - -- ____________________________________________________________________ C. E. Hartung Business Development & Support Services http://www.cehartung.com/ carlh@cehartung.com Dover Foxcroft, Maine, USA Public Key #0x68396713 Reg. Linux User #350527 http://counter.li.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCGNZHusxgymg5ZxMRAlwrAJ9PE1fj1E1GrTRURUTFb8+CMmdp/gCfVxt3 ibsZxluK6dx1QRHlX2GgBq0= =WFU7 -----END PGP SIGNATURE-----
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
No, program is closed nicely... Lock still remains.
Taavi, On Tuesday 22 February 2005 11:45, Taavi Dovnar wrote:
But I have problem, that this lock file remains there, although I close Thunderbird (and Firefox, Mozilla has same problem) nicely, even logout or halt computer. And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
No, program is closed nicely... Lock still remains.
I repeat, don't use "kill -9". It's rarely necessary and when it is it's a sign of a problem. Use plain old "kill" so that target processes have a chance to do their clean-up (lock file removal, e.g.). If that doesn't lead to the program's termination, then you can try "kill -9". Randall Schulz
And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
No, program is closed nicely... Lock still remains.
I repeat, don't use "kill -9". It's rarely necessary and when it is it's a sign of a problem. Use plain old "kill" so that target processes have a chance to do their clean-up (lock file removal, e.g.). If that doesn't lead to the program's termination, then you can try "kill -9".
Well, I close programs from cross in the upper right corner... Is it OK? :) And after I close it, ps ax shows no Firefox/Thunderbird anymore.
Taavi, On Tuesday 22 February 2005 22:18, Taavi Dovnar wrote:
And in another computer I would have to delete manually this lock file in order to use default profile... Any suggestions?
When you have the problem, run from the command-line: ps aux|grep -i thunderbird
to see if any instances of thunderbird remain. If so (and I suspect that this is your problem), issue from the command-line: kill -9 <pid #'s of thunderbird>
No, program is closed nicely... Lock still remains.
I repeat, don't use "kill -9". It's rarely necessary and when it is it's a sign of a problem. Use plain old "kill" so that target processes have a chance to do their clean-up (lock file removal, e.g.). If that doesn't lead to the program's termination, then you can try "kill -9".
Well, I close programs from cross in the upper right corner... Is it OK?
Of course. That's the primary way. However, if there's a problem with the application, it may not work. Then again, if there's a problem with the application, kill might not work, either, but in most cases, fewer things need to be in good working order, if you will, for kill to succeed than for the close box to work.
:) And after I close it, ps ax shows no Firefox/Thunderbird anymore.
Then it's gone, it's safe to say. Randall Schulz
JD. Brown wrote:
Bottom line is this; How much are you willing to read and understand the SuSEfirewall2 or any other firewall?
Actually, SuSEfirewall2 is not a firewall at all; it is simply a tool to assist you in building and implementing a functioning firewall. The actual firewall is what is displayed when you run 'iptables -L'. So the bottom line is actually this: what do I need to do in order that 'iptables -l' will show me precisely what I want my firewall to do? No matter what method I choose to implement the set of rules I need, first I must come up with a coherent set of rules based on my particular needs. In this you are quite correct when you say "all firewalls need fine detail and understanding of networks." However, I fail to see what difference it makes if I use Yast, or if I use vi, to modify my SuSEfirewall2 config file. It is far more than simply "GUI or conf files" as you put it, because the GUI is simply another tool, and you cannot make any valid conf file changes with your favourite editor that you cannot also make in Yast. Neither one can help you to build a firewall except insofar as they allow you to make changes to a pre-existing configuration file. Whatever firewall you can come up is still bound within the limitations of that config file. I repeat my statement that SuSEfirewall can meet most modest firewall requirements, but for anything more complex you need something else. Perhaps you take issue with my use of the word "modest." It may put things in perspective for you to understand that I regard general relativity as a "modest" attempt at a theory of gravity. However, it has its limitations, just as SuSEfirewall2 has its limitations. If it did not, the author of the script that implements it (/sbin/SuSEfirewall2) would not have needed to allow for custom rules. If you really wish to understand SuSEfirewall2 you really do have to read the config file in conjunction with the implementing script. That script is incredibly complex, and necessarily so: SuSEfirewall2, like any good _tool_, tries to minimize the extra effort that will be needed by the maximum possible number of people. Emphasis here is on "min" and "max"; those do not, cannot, equate to "zero" and "all", because no tool can possibly anticipate every requirement. Let me repeat something which you seem to have missed or forgotten when you wrote the above: SuSEfirewall2 does a good job within its limitations. There is no question of "this or that firewall is better," because all that matters is whether or not you can use the _tool_ to design and implement the kind of firewall you need. Neither SuSEfirewall2 nor Shorewall are actual firewalls; they are, as I have stated, merely tools to assist the user in designing and implementing a firewall. In this regard, the only acceptable point of discussion is whether or not SuSEfirewall2 can meet all of your particular requirements; if it can, then by all means go ahead and use it. If not, then you need something else. Most people should not need something else, for otherwise the guy that wrote it would have wasted a lot of good work.
On Mon January 10 2005 20:52, Darryl Gregorash wrote:
So the bottom line is actually this: what do I need to do in order that 'iptables -l' will show me precisely what I want my firewall to do?
Darryl, Thank you for clearing me up a bit. JD
On Monday 10 January 2005 00:27, Darryl Gregorash wrote:
Colin Murphy wrote:
What is the difference between SuseFirewall2 and the firewalls found in other distros - which I am assuming are referred to as IPTables.
Susefirewall2 is just a set of scripts and configuration files to configure IPtables on the fly, which is probably the same as most distros offer.
So, if I wanted to share details about my firewall to someone who was not familiar with Suse and their scripts what information could I show them that they would understand? Webmin is also running on the firewall box. Changes made to the firewall through Yast do not appear in whatever firewall Webmin shows under the module of 'Linux Firewall', as far as I can see. What is this looking at? -- Colin@SpudULike.me.uk As seasons go I especially like pepper.
On Mon January 10 2005 06:09, Colin Murphy wrote:
So, if I wanted to share details about my firewall to someone who was not familiar with Suse and their scripts what information could I show them that they would understand?
If you just look in : /etc/sysconfig/SuSEfirewall2 (F.Y.I= This is where advance configurations take place) You will see paragraphs 1-29, explaining what each function does. If you do a google search for SuSEfirewall2 and/or SuSE firewall. You will see third party authors that have written detailed descriptions on what each 1-29 function does. There is quite a bit of reading to do.
Webmin is also running on the firewall box. Changes made to the firewall through Yast do not appear in whatever firewall Webmin shows under the module of 'Linux Firewall', as far as I can see. What is this looking at?
Webmin and SuSEfirewall2 are two seperate firewall programs. Webmin stores it's conf file in: /etc/webmin For log services on Webmin. Look at /var/webmin. While SuSE firewall: /etc/sysconfig/SuSEfirewall2 For log services on SuSEfirewall2. Just look at /var/log. Overall if you are running both, at the same time, You can be causing a big confusion for your allowed services running at the firewall level. JD
On Monday 10 January 2005 1:56 pm, JD. Brown wrote:
Webmin and SuSEfirewall2 are two seperate firewall programs.
> snip <
Overall if you are running both, at the same time, You can be causing a big confusion for your allowed services running at the firewall level.
JD
I'll second that. My experience has taught me to use only one method of configuring your firewall such as Webmin, YaST/SuSEfirewall2 or manually. Do not switch between these methods while editting the firewall config of a running system. Great confusion results and manual editing of config files or remove/reinstall the applications are needed to correct it. There is a webmin plugin for SuSEfirewall2 that allows you to edit the SUSEfirewall2 config within Webmin. But again, don't switch between this and YaST. Even though you configure the Webmin module to use the exact same files as YaST. I never saw them co-exist at all on my system. My advice is choose one method of maintaining the firewall and stick with it. But then I found Shoreline's Shorewall firewall with Webmin pluggin way easier to understand and use. Stan
Colin Murphy wrote:
So, if I wanted to share details about my firewall to someone who was not familiar with Suse and their scripts what information could I show them that they would understand?
Webmin is also running on the firewall box. Changes made to the firewall through Yast do not appear in whatever firewall Webmin shows under the module of 'Linux Firewall', as far as I can see. What is this looking at?
The SuSEfirewall2 configuration is stored in /etc/sysconfig/SuSEfirewall2. It's got good explanations of what each variable means and how to set it, so anyone with a basic understanding of IPtables should be able to understand your firewall. If there is any need to consult the scripts, they are /etc/init.d/SuSEfirewall2_* (and are run in this order: init, setup, final) plus /sbin/SuSEfirewall2, the latter being the script that does all the real work. However, there probably shouldn't be any need for anyone to actually read those to know what your firewall is doing: the config file contains all the essential information, and the scripts are just a means to implement that information. I'm not familiar with Webmin (yet another thing on a rather long list of things to do :-) ). However, it must have its own config file(s) somewhere, and Yast (or your favourite text editor) won't know anything about that. Webmin also won't know anything about how SuSEfirewall2 is structured. Also, if Webmin reads the current active firewall state from the kernel, any time you made a change to the rules in SuSEfirewall2 (and restarted the firewall of course!), you would need to re-read the firewall in Webmin before the change would show up.
participants (15)
-
Andreas Philipp -
Brad Bourn -
Carl E. Hartung -
Colin Murphy -
Darryl Gregorash -
David Johanson -
Flavio Arthur Leal Ferreira -
JD. Brown -
Jeffrey Laramie -
Patrick Shanahan -
Randall R Schulz -
Roger Beever -
Stan Glasoe -
Taavi Dovnar -
Theo v. Werkhoven